Former Chief Privacy Adviser to Microsoft: Legal and Technical Implications of the NSA Surveillance Octopus

If anyone has any doubts about the scope of the NSA's wiretapping and Internet surveillance network, let me recommend listening to a real professional of the IT industry.

Mr. Caspar Bowden, Microsoft's former Chief Privacy Adviser has released a presentation done for the European Union Cloud Data Protection Strategy in Brussel.

prism

So did the European governments know about the scope of U.S. foreign surveillance before the NSA leaks? Short answer - Yes.

This presentation was given before the leaks to EU government officials. I added a few of my own explanations for clarification purposes. Read on and prepare to get your jaw dropped.

Foreign Intelligence Surveillance Act Amendments Act of 2008 (FISAAA)

ECPA 1986 provision to the public of computer storage or processing services by means of an electronic communications system (Cloud).

  • Purely political surveillance

  • Surveillance of ordinary democratic and lawful activities

  • Completely unlawful under the European Convention on Human Rights (ECHR)

Secure Socket Layer useless

  • Access reaches inside the SSL through the Foreign Intelligence Surveillance Act ยง1881a

  • Cloud Providers (Google, Apple, Yahoo, Akamai) will have to cooperate to build capabilities on the OSI Layer where E-Mails and Files can be intercepted directly, because packet reconstruction on a lower OSI Layer is not efficient enough

  • EU data at risk completely

Technical defences useless

  • Consumer-Grade encryption not NSA-proof

  • Trusted Platform Module 1.2 (TPM) is broken

EU is working on similar data surveillance programs

The European Telecommunications Standards Institute ETSI develops since 2012 a Lawful Interception as a Cloud Service LIaaS - Using the Cloud to surveil the Cloud and rendering all SSL applications useless.

Article 29 of the EU Data Protection Working Group states:

The need to be transparent where national legislation prevents the group from complying with the BCR - Any legally binding request for disclosure of the personal data by a law enforcement authority shall be communicated to the data Controller unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation."

In plain english: The EU intercepts all data from Internet companies and does not have to tell the intercepted organisations about the surveillance.

Advise to Cloud Users

  • Avoid US organisations, e.g. those that rely on Safe Harbor compliancy

  • Avoid organisations that exclude lawful foreign requests from organisation's data protection model

  • Prefer exclusive jurisdiction organisations

  • Prefer Open-Source stacks, with verfiable trail of code

Conclusions

  • European Union personal data is naked and unprotected to the NSA and the U.S. Foreign Intelligence Surveillance Act Amendments Act of 2008

  • No defenses today nor planned

  • EU Commision and MEPs did not know about the Surveillance Act 1881a until 2012

  • Free/Libre Open Source Software has crucial security advantages for Cloud

  • Safe-Harbour is an Oxymoron (the Opposite of its title), where all 7 principles on which the deal is based upon are void


Sources:

Caspar Bowden, Former Chief Privacy Adviser to Microsoft 2002-2011, Director of Foundation for Information Policy Research 1998-2002. http://www.surveillancehumanrights.org/uploads/EUClouddataprotectionstrategyBrussels-CasparBowden-28.5.2013.pdf

Article 29, EU Data Protection Working Group, 2012: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp195_en.pdf

ETSI developing LIaaS, 2012: http://moechel.com/doqs/20120625,3GPPSA3LIDTR101567cloudinterceptionv01_0.pdf.